samba - May 2003 - Problems with NT passwords on samba 2.2.8 and earlier versions.

Hi, 

To elaborate on the password problem -
We are operating in an NT4 environment that is slowly migrating to w2k. We
have a number of unix workstations and servers that are running samba to
share their disk space to PC users. The PC password policy requires that
users change their password at monthly intervals. The samba configuration on
all the unix boxes points to an NT4 PDC server for password authentication
using the following samba configuration commands

encryptpasswords = yes
local master = no
name resolve order = wins, host
password server = <name of pdc>
protocol = NT1
security = server
username map = /usr/local/samba/etc/smbusers
workgroup = <system wide group name>

What appears to be happening is that samba is caching something about the
user's NT password at the time they initialise a samba connection. So, when
the user is forced to change their windows password, by the 1 month aging
process on the pdc, the samba connections that a user has established, start
causing illegal password entries in the pdc event log. After a number of
password failures the pdc locks the account. Things seem to get reset, when
I run a script that clears out all nmbd and smbd processes on the unix
server, the user's samba connections seem to be re-established with their
current (new) password. 

I guess one solution to this might be to run a cron job in the middle of the
night that clears out all smbd and nmbd processes running on the unix box.
However that can lead to problems if a user is running a process on their PC
that is accessing a file on a unix box. The process seems to loose track of
where it is in the file or something.

Dennis

######################################
Dennis Macdonell
Systems Administrator
National Mapping Division, Geoscience Australia
mail: PO Box 2, Belconnen, ACT 2617
email: mcdonell@auslig.gov.au
ph:  61 2 6201 4326
fax: 61 2 6201 4377
######################################

Hi Dennis
you write but no read what manpage say about security=server mode that is:
SECURITY = SERVER

In this mode Samba will try to validate the username/password by passing it
to another SMB server, such as an NT box. If this fails it will revert to
security = user, but note that if encrypted passwords have been negotiated
then Samba cannot revert back to checking the UNIX password file, it must
have a valid smbpasswd file to check users against. See the documentation
file in the docs/ directory ENCRYPTION.txt for details on how to set this
up.

Note that from the client's point of view security = server is the same as
security = user. It only affects how the server deals with the
authentication, it does not in any way affect what the client sees.

Note that the name of the resource being requested is not sent to the server
until after the server has successfully authenticated the client. This is
why guest shares don't work in user level security without allowing the
server to automatically map unknown users into the guest account. See the
map to guest parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and the encrypted passwords
parameter.

SECURITY = DOMAIN

This mode will only work correctly if smbpasswd(8) has been used to add this
machine into a Windows NT Domain. It expects the encrypted passwords
parameter to be set to yes. In this mode Samba will try to validate the
username/password by passing it to a Windows NT Primary or Backup Domain
Controller, in exactly the same way that a Windows NT Server would do.
....

Your problem is writed and can be resolved by change security to domain or
another way to sync changes on passwd using winbind or ldap...

Thats all folks.

----- Original Message -----
From: "MacDonell, Dennis" <DennisMacDonell@auslig.gov.au>
To: "'samba list'" <samba@lists.samba.org>
Sent: Monday, May 26, 2003 4:53 AM
Subject: [Samba] Problems with NT passwords on samba 2.2.8 and
earlierversions.

>
> Hi,
>
> To elaborate on the password problem -
> We are operating in an NT4 environment that is slowly migrating to w2k. We
> have a number of unix workstations and servers that are running samba to
> share their disk space to PC users. The PC password policy requires that
> users change their password at monthly intervals. The samba configuration
on
> all the unix boxes points to an NT4 PDC server for password authentication
> using the following samba configuration commands
>
> encryptpasswords = yes
> local master = no
> name resolve order = wins, host
> password server = <name of pdc>
> protocol = NT1
> security = server
> username map = /usr/local/samba/etc/smbusers
> workgroup = <system wide group name>
>
> What appears to be happening is that samba is caching something about the
> user's NT password at the time they initialise a samba connection. So,
when
> the user is forced to change their windows password, by the 1 month aging
> process on the pdc, the samba connections that a user has established,
start
> causing illegal password entries in the pdc event log. After a number of
> password failures the pdc locks the account. Things seem to get reset,
when
> I run a script that clears out all nmbd and smbd processes on the unix
> server, the user's samba connections seem to be re-established with
their
> current (new) password.
>
> I guess one solution to this might be to run a cron job in the middle of
the
> night that clears out all smbd and nmbd processes running on the unix box.
> However that can lead to problems if a user is running a process on their
PC
> that is accessing a file on a unix box. The process seems to loose track
of
> where it is in the file or something.
>
> Dennis
>
> ######################################
> Dennis Macdonell
> Systems Administrator
> National Mapping Division, Geoscience Australia
> mail: PO Box 2, Belconnen, ACT 2617
> email: mcdonell@auslig.gov.au
> ph:  61 2 6201 4326
> fax: 61 2 6201 4377
> ######################################
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba